ci: harden rustfmt auto workflow against PR token abuse

[paullegranddc]

Motivation

• Close a repository-integrity vulnerability where a pull_request-triggered workflow could mint a write GitHub App token for PR-controlled runs and be retriggered on pushes after a label was applied.
• Prevent forked-PR heads and post-label synchronize events from gaining access to repository contents: write credentials via the rustfmt-auto job.

Description

• Removed the synchronize event from on: pull_request so labeled PRs are not automatically re-run on subsequent pushes.
• Added a same-repository guard to the job if condition: github.event.pull_request.head.repo.full_name == github.repository to block fork PR heads from exercising the write-token flow.
• Made the checkout explicit by setting repository: ${{ github.event.pull_request.head.repo.full_name }} and ref: ${{ github.event.pull_request.head.ref }} to avoid ambiguous branch-only checkouts.

Testing

• Inspected the updated workflow with sed -n '1,220p' .github/workflows/rustfmt-auto.yml and confirmed the trigger and guard changes, which succeeded.
• Verified the diff with git diff -- .github/workflows/rustfmt-auto.yml to ensure only the intended workflow hardening edits were made, which succeeded.
• Committed the change with git add and git commit to record the fix, which succeeded.

---

Codex Task

[codecov-commenter]

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 72.59%. Comparing base (7a24f53) to head (41f1e6f).
⚠️ Report is 1 commits behind head on main.

Additional details and impacted files

@@            Coverage Diff             @@
##             main    #1971      +/-   ##
==========================================
- Coverage   72.64%   72.59%   -0.06%     
==========================================
  Files         448      450       +2     
  Lines       73629    73733     +104     
==========================================
+ Hits        53487    53523      +36     
- Misses      20142    20210      +68     

Components	Coverage Δ
libdd-crashtracker	65.32% <ø> (+0.09%)	⬆️
libdd-crashtracker-ffi	37.68% <ø> (+0.85%)	⬆️
libdd-alloc	98.77% <ø> (ø)
libdd-data-pipeline	86.34% <ø> (-0.24%)	⬇️
libdd-data-pipeline-ffi	74.25% <ø> (-1.39%)	⬇️
libdd-common	79.81% <ø> (ø)
libdd-common-ffi	74.41% <ø> (ø)
libdd-telemetry	69.86% <ø> (ø)
libdd-telemetry-ffi	19.37% <ø> (ø)
libdd-dogstatsd-client	82.64% <ø> (ø)
datadog-ipc	76.22% <ø> (+0.04%)	⬆️
libdd-profiling	81.57% <ø> (ø)
libdd-profiling-ffi	64.51% <ø> (ø)
libdd-sampling	97.25% <ø> (ø)
datadog-sidecar	29.23% <ø> (-0.59%)	⬇️
datdog-sidecar-ffi	10.33% <ø> (-2.89%)	⬇️
spawn-worker	54.69% <ø> (ø)
libdd-tinybytes	93.16% <ø> (ø)
libdd-trace-normalization	81.71% <ø> (ø)
libdd-trace-obfuscation	87.26% <ø> (ø)
libdd-trace-protobuf	68.25% <ø> (ø)
libdd-trace-utils	89.31% <ø> (+0.04%)	⬆️
libdd-tracer-flare	86.88% <ø> (ø)
libdd-log	74.83% <ø> (ø)

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.
• 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.

[datadog-prod-us1-4]

🎉 All green!

❄️ No new flaky tests detected
🧪 All tests passed

🎯 Code Coverage (details)
• Patch Coverage: 100.00%
• Overall Coverage: 72.59% (-0.05%)

_{This comment will be updated automatically if new data arrives.
🔗 Commit SHA: 41f1e6f | Docs | Datadog PR Page | Give us feedback!}

[dd-octo-sts]

Artifact Size Benchmark Report

aarch64-alpine-linux-musl

Artifact	Baseline	Commit	Change
/aarch64-alpine-linux-musl/lib/libdatadog_profiling.a	81.66 MB	81.66 MB	0% (0 B) 👌
/aarch64-alpine-linux-musl/lib/libdatadog_profiling.so	7.57 MB	7.57 MB	0% (0 B) 👌

aarch64-unknown-linux-gnu

Artifact	Baseline	Commit	Change
/aarch64-unknown-linux-gnu/lib/libdatadog_profiling.a	97.83 MB	97.83 MB	0% (0 B) 👌
/aarch64-unknown-linux-gnu/lib/libdatadog_profiling.so	10.01 MB	10.01 MB	0% (0 B) 👌

libdatadog-x64-windows

Artifact	Baseline	Commit	Change
/libdatadog-x64-windows/debug/dynamic/datadog_profiling_ffi.dll	24.40 MB	24.40 MB	0% (0 B) 👌
/libdatadog-x64-windows/debug/dynamic/datadog_profiling_ffi.lib	79.87 KB	79.87 KB	0% (0 B) 👌
/libdatadog-x64-windows/debug/dynamic/datadog_profiling_ffi.pdb	179.63 MB	179.65 MB	+0% (+16.00 KB) 👌
/libdatadog-x64-windows/debug/static/datadog_profiling_ffi.lib	910.79 MB	910.79 MB	0% (0 B) 👌
/libdatadog-x64-windows/release/dynamic/datadog_profiling_ffi.dll	7.71 MB	7.71 MB	0% (0 B) 👌
/libdatadog-x64-windows/release/dynamic/datadog_profiling_ffi.lib	79.87 KB	79.87 KB	0% (0 B) 👌
/libdatadog-x64-windows/release/dynamic/datadog_profiling_ffi.pdb	23.11 MB	23.11 MB	0% (0 B) 👌
/libdatadog-x64-windows/release/static/datadog_profiling_ffi.lib	45.25 MB	45.25 MB	0% (0 B) 👌

libdatadog-x86-windows

Artifact	Baseline	Commit	Change
/libdatadog-x86-windows/debug/dynamic/datadog_profiling_ffi.dll	21.02 MB	21.02 MB	0% (0 B) 👌
/libdatadog-x86-windows/debug/dynamic/datadog_profiling_ffi.lib	81.11 KB	81.11 KB	0% (0 B) 👌
/libdatadog-x86-windows/debug/dynamic/datadog_profiling_ffi.pdb	183.76 MB	183.76 MB	0% (0 B) 👌
/libdatadog-x86-windows/debug/static/datadog_profiling_ffi.lib	896.89 MB	896.89 MB	0% (0 B) 👌
/libdatadog-x86-windows/release/dynamic/datadog_profiling_ffi.dll	5.98 MB	5.98 MB	0% (0 B) 👌
/libdatadog-x86-windows/release/dynamic/datadog_profiling_ffi.lib	81.11 KB	81.11 KB	0% (0 B) 👌
/libdatadog-x86-windows/release/dynamic/datadog_profiling_ffi.pdb	24.74 MB	24.74 MB	0% (0 B) 👌
/libdatadog-x86-windows/release/static/datadog_profiling_ffi.lib	42.75 MB	42.75 MB	0% (0 B) 👌

x86_64-alpine-linux-musl

Artifact	Baseline	Commit	Change
/x86_64-alpine-linux-musl/lib/libdatadog_profiling.a	72.78 MB	72.78 MB	0% (0 B) 👌
/x86_64-alpine-linux-musl/lib/libdatadog_profiling.so	8.41 MB	8.41 MB	0% (0 B) 👌

x86_64-unknown-linux-gnu

Artifact	Baseline	Commit	Change
/x86_64-unknown-linux-gnu/lib/libdatadog_profiling.a	90.53 MB	90.53 MB	0% (0 B) 👌
/x86_64-unknown-linux-gnu/lib/libdatadog_profiling.so	10.03 MB	10.03 MB	0% (0 B) 👌